Why SSL Is So Slow to Catch On................

Rusty Snippets

Rusty Snippets

Well-known member
.......................... a lot of it is predator web hosts lol!! My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!

I have delved into a VPS host, and have learned a lot in a short time. I believe I have it as secured as I can get it, using FirewallD, Fail2ban and a few other goodies. I have done some vulnerability testing, and have only 3 needed ports/services open. They are all set up with 2fa when using them, ssh is key only. I am going to start moving my few sites over soon, and start hosting them myself.

Any wise words of wisdom for a fresh new admin? All pointers appreciated!
 
Rusty Snippets said:
.......................... a lot of it is predator web hosts lol!! My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!

I have delved into a VPS host, and have learned a lot in a short time. I believe I have it as secured as I can get it, using FirewallD, Fail2ban and a few other goodies. I have done some vulnerability testing, and have only 3 needed ports/services open. They are all set up with 2fa when using them, ssh is key only. I am going to start moving my few sites over soon, and start hosting them myself.

Any wise words of wisdom for a fresh new admin? All pointers appreciated!
Click to expand...

Sure, closed ports won't protect you from 99% of vulnerabilities. PHP is evil (necessary but evil), Wordpress just as much, Wordpress Plugins are twice so. There are plenty of hardening tutorials out there, but from experience most exploits 0 day or otherwise come from php and/or platform specific vulnerabilities whether that's WP, XF or pick your platform rather than actual viruses/rootkits and/or server or kernel exploits. Keep snapshots and use an HIDS (host intrusion detection system) for when you do get hacked because it happens to the best of us and at least you'll know what files have been compromised quickly.
 
Good stuff, thanks! Just personal sights anyway, but time to learn the ropes. No way I'm paying that much for a near-free certificate!
 
Rusty Snippets said:
Good stuff, thanks! Just personal sights anyway, but time to learn the ropes. No way I'm paying that much for a near-free certificate!
Click to expand...

There's too many perils to list but it's also a great way to learn in a trial by fire sort of way. Google linux hardening or whatever distro you're running. Lots of guides out there. But again keep daily backups of everything in case you do get compromised.
 
ichpen said:
There's too many perils to list but it's also a great way to learn in a trial by fire sort of way. Google linux hardening or whatever distro you're running. Lots of guides out there. But again keep daily backups of everything in case you do get compromised.
Click to expand...
CentOS with Linode. Damn near as cheap as my shared host is! They have great tutorials too!
 
I pay a buck or two a month to run my xenforo sites on, and the sites of others. A vps + ufw, fail2ban, no cpanel, and simple lamp setup with memcache and lets-encrypt .. works fine.
 
Linode has great tutorials. I've spent 2 days tightening it up, and feel good about it. Of course, anyone can get hacked, but not much value on my 3 or 4 personal sites. And I'm learning a lot in the process.
 
ichpen said:
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
Click to expand...

I've only used it a couple times, and it's great. But @eva2000 can probably tell you better than I can :)
 
ichpen said:
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
Click to expand...
@eva2000 is a member of this community and also puts out announcements of security updates, what to do, kernel updates etc. Its like having your own semi managed service for free! - end advert
 
Rusty Snippets said:
Of course, anyone can get hacked, but not much value on my 3 or 4 personal sites.
Click to expand...

They don't care about your sites...most hackers could care less, other than some advertising for their little group. What they do care about is gaining access to your VPS and sending out massive amounts of spam or DDoS attacks until your provider kicks you out. Ultimately, that's what you need to worry about. So don't take security lightly just because they are small personal sites.
 
WSWD said:
They don't care about your sites...most hackers could care less, other than some advertising for their little group. What they do care about is gaining access to your VPS and sending out massive amounts of spam or DDoS attacks until your provider kicks you out. Ultimately, that's what you need to worry about. So don't take security lightly just because they are small personal sites.
Click to expand...
Understood. Thank you.
 
Rusty Snippets said:
Linode has great tutorials. I've spent 2 days tightening it up, and feel good about it. Of course, anyone can get hacked, but not much value on my 3 or 4 personal sites. And I'm learning a lot in the process.
Click to expand...
Digital Ocean has some great tutorials as well for various operating systems. They're a great resource as well.
 
ichpen said:
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
Click to expand...

We chose Centminmod as a base environment and currently all of our servers (6) are running this now. We have made various improvements, mainly around security & logging. The actual performance out of the box doesn't need any adjustment for a small to medium sized site. Lots of stuff included that you can enable or choose not use for NGINX and other tools.

Security, should never be automated. But, at least Centminmod puts in some basic configuration options to help get people on the right track. As mentioned elsewhere, Centminmond's site has great tutorials and how-to's for the inexperienced administrator. (among other sites as well)

(yeah, sounds like a promotion, but we saved a lot of time and effort in choosing Centminmod as a base config to build upon. More time to focus on other stuff.)
 
Rusty Snippets said:
Any wise words of wisdom for a fresh new admin? All pointers appreciated!
Click to expand...
Set up a test server and trial the hell out of things before you go further.

To be totally honest, it is near impossible to hack a server. Like mentioned above, its usually exploits in the CMS you run. Any linux server with:
  1. Disable password login and replace with SSH key,
  2. Install fail2ban so you can jail nasties,
  3. Firewalld is simple and effective to keep all ports closed, other than those running software and secured as such. CSF is nicer if you want to do more,
  4. Bad bot blocker for NGINX setup: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
  5. Use cloudflare (You get enterprise DDOS protection, CDN and full crypto - FREE)
I don't use centminmod, and the reasons are various:
  • Bloated installation of NGINX for what defeats the purpose of NGINX' simplicity,
  • Its a personal project. If George fell over dead tomorrow, decided he'd had enough or otherwise that life throws at us all, CentminMod is dead in the water with him.
  • Its an increased risk compared to more stable resources.
Someone dies, quits or otherwise at NGINX, PHP or MariaDB, so forth... everything keeps going forward with security and stability.

Running on a single server, you DO NOT want memcached installed. Provides little to no benefit when benchmarked, and with SSD RAID nowadays, is more hinderance to the process. Absolutely essential IF running a server stack though.

NGINX, PHP and MariaDB are the least of your troubles. Email is the headache. Setting up functional email to send and receive, you will spend more time trying to achieve this than anything else. A simple way around, a piece I wrote the other week: https://centosnoob.com/email-web-server-iredmail-nginx-mariadb-10-x-php-7-x/144/

Always tweak just one thing, measure, look for faults and weird behaviour, then tweak further settings.

DO NOT copy and paste settings from the web that you first do not fully understand what they do or the impact of the setting on your server and users.

There is a lot of learning.

I run a cluster of servers for myself and clients that I setup from scratch using either Linode, DigitalOcean and for Australian installs, BinaryLane as they run a similar setup to Linode and DigitalOcean. Learn and understand the basics, understand everything you do.

Mine run:
  1. Centos 7 Latest Stable
  2. PHP 7.x Latest Stable
  3. MariaDB 10.x Latest Stable
  4. NGINX Latest Stable, Sometimes Mainline
  5. NGX_Pagespeed
  6. Fail2Ban
  7. FirewallD
  8. iRedMail for one master mail server that everything uses, postfix at each IF software needs to mail out.
LESS IS MORE. Goodluck.
 
Last edited:
Anthony Parsons said:
Its a personal project. If George fell over dead tomorrow, decided he'd had enough or otherwise that life throws at us all, CentminMod is dead in the water with him.
Click to expand...
Somewhat true though Centmin Mod is open source project https://github.com/centminmod/centminmod so folks can fork it and do what they what with it etc. I'm heavily invested in Centmin Mod and eat my own dog food and have Centmin Mod running on 120+ servers of mine :)

Anthony Parsons said:
Bloated installation of NGINX for what defeats the purpose of NGINX' simplicity,
Click to expand...
Centmin Mod isn't just an Nginx installer, it's a full LEMP environment auto installer and differs from standard Nginx as outlined at https://community.centminmod.com/threads/explaining-what-centmin-mod-is.8181/#post-46152. And performance wise Centmin Mod Nginx will handily beat any standard Nginx distro install out of the box setup for sure - Centmin Mod Nginx is all about performance and features availability so no it ain't bloated in reference to performance. But yes Centmin Mod Nginx does install more Nginx modules that typical Nginx distro install to expand Nginx's available feature set.

Centmin Mod Nginx is flexible you can minimise nginx modules installed via persistent config file overridden variables outlined at FAQ item 31

Centmin Mod Nginx supports HTTP/2 based HTTPS for better performance utilising OpenSSL 1.0.2/1.10 branch and LibreSSL 2.4/2.5 crypto libraries and end user can switch between them at their choosing. Standard CentOS based Nginx distro installs will not support HTTP/2 out of the box due to CentOS still using OpenSSL 1.0.1 branch without ALPN protocol support so HTTPS will be slower over HTTP 1.1 instead of HTTP/2 via OpenSSL 1.0.2/1.1.0 or LibreSSL 2.4/2.5
Anthony Parsons said:
Its an increased risk compared to more stable resources.
Click to expand...
I've been running Centmin Mod on 120+ servers for past 6 yrs now without issue though yes there is some risk for stability due to using Nginx 1.11 mainline branch though it's also the branch Nginx officially recommends over 1.10 stable as Nginx 1.11 has ALL security and bug fixes while Nginx 1.10 stable has only critical security and bug fixes not ALL of them.
 
Last edited:
eva2000 said:
Standard CentOS based Nginx distro installs will not support HTTP/2 out of the box due to CentOS still using OpenSSL 1.0.1 branch without ALPN protocol support so HTTPS will be slower over HTTP 1.1 instead of HTTP/2 via OpenSSL 1.0.2/1.1.0 or LibreSSL 2.4/2.5
Click to expand...
Yer, updating to 1.0.2k is usually one of the first things I do on a server. A pretty simple task though, and agreed, important one.

I didn't think the 1.1.x branch was even compatible with Centos 7?
 
Rusty Snippets said:
My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!
Click to expand...
Lets encrypt is super simple to install if you have root access, and you can totally do it yourself without paying your host anything if you have root access to your server. If shared... you're screwed. Lets encrypt also requires a server with approximately 768Mb minimum RAM to run the python loader. Lets encrypt is not however suitable if you run an email server, as the CA cert for Lets Encrypt is not considered a trusted source and will cause anyone sending to your server email to bounce when requiring a trusted TLS connection (i.e. many corporate networks, some Government agencies, so forth)
 
Anthony Parsons said:
If shared... you're screwed.
Click to expand...

Most shared hosts will allow you to install your own cert through cpanel which you can get for $10 from comodo. If they disable this functionality and request that you pay $150 for a cert, or even to install a free LetsEncrypt cert then that seems rather shady so run :)
 
You must log in or register to reply here.

Similar threads

N
Why is my site so SLOW to load
Replies
11
Views
1K
WSWD
WSWD
Jean-Baptiste
Why is my query so slow ? (25 seconds to be run)
Replies
13
Views
1K
Jean-Baptiste
Jean-Baptiste
Coop1979
  • Question Question
XF 1.1 What is this query on index and why is it so slow?
Replies
1
Views
993
ragtek
R
Back
Top Bottom